Recently, following the publication of the final version of the code of conduct regarding best practices in artificial intelligence, the European Commission has provided further clarifications on the obligations set forth by the AI Act. These guidelines focus on four main aspects.

The first topic addressed concerns general-purpose artificial intelligence (AI) models, for which a clear definition is provided. The second topic pertains to suppliers who introduce general-purpose AI models to the market, through an identification process. The third point examines exemptions from specific obligations for those suppliers of AI models released under free or open-source licenses, provided they meet certain transparency requirements. Finally, the fourth topic analyzes how suppliers must comply with the obligations for general-purpose AI models.

These guidelines aim to clarify the provisions and provide useful guidance to all stakeholders in the AI value chain, in conjunction with the recent code of conduct. The Commission intends to support businesses with practical suggestions for implementing, among other things, technical documentation of the model, compliance policies for copyright, and a public summary of the data used for training.

In particular, for systemic risk models, the guidelines emphasize the importance of conducting continuous assessments, reporting any incidents, and ensuring adequate data protection, focusing on aspects related to cybersecurity. It is important to note that these guidelines are not legally binding but are strongly recommended.

A key role in overseeing these practices is played by the AI Office, which will adopt a collaborative and proportionate approach to monitor the application of the rules. However, its enforcement powers will only be active from August 2, 2026, thus providing a year for companies to comply with the new regulations.

For suppliers of generic AI models with systemic risk, there are specific obligations to be met, including the need to “continuously assess and mitigate risks.” This implies that suppliers must ensure an adequate level of cybersecurity throughout the entire lifecycle of the model. The concept of “lifecycle” is crucial and determines suppliers’ obligations concerning systemic risk generic AI models.

Among the legal responsibilities, suppliers of AI models must prepare and maintain technical documentation, sharing details of the development process with the AI Office when requested. Additionally, they must provide downstream suppliers with information about the capabilities and limitations of their models to facilitate adequate compliance with legal requirements. They must also implement compliance policies for copyright and publish a detailed summary of the content used for training the model, designating an authorized representative within the European Union if the model is developed outside the EU.

Suppliers of generic AI models released under free or open-source licenses may be exempt from certain obligations; however, those at systemic risk must still meet additional requirements, as known to the competent authority when developing a high-impact model.

To help businesses understand whether they must comply with the obligations concerning generic AI models, the Commission has defined key criteria. For example, companies must first ensure that the model falls under the category of general-purpose AI and that they are indeed the ones introducing it to the market.

In addition to regulatory requirements, generic AI models may present “systemic risks,” defined as risks arising from the high-impact capabilities of the models. Such risks can significantly affect the European Union market and cause negative effects on public health, safety, or fundamental rights.

Regarding risk classification, the law stipulates that a general-purpose AI model may be considered high-impact if it meets certain parameters, such as computational capacity or as a result…